I am trying to write a command line tool that will give IIS7.5 on windows server 2008 write access to a folder in the wwwroot, so that a web application has access to write to a specific folder within it's base directory. Formerly, you would do this by assigning the IIS_WPG group on the folder giving that group Modify access.
In Server 2008 I'm trying to do the same thing with IIS_IUSRS, but an exception is ocurring.
Here is the code:
private static void ManagePermissions(string directory, string account, FileSystemRights rights, AccessControlType controlType, bool addAccess)
{
DirectoryInfo directoryInfo = new DirectoryInfo(directory);
DirectorySecurity directorySecurity = directoryInfo.GetAccessControl();
if (addAccess)
directorySecurity.AddAccessRule(
new FileSystemAccessRule(account, rights, controlType));
else
directorySecurity.RemoveAccessRule(
new FileSystemAccessRule(account, rights, controlType));
directoryInfo.SetAccessControl(directorySecurity);
}
The call to this method is as follows:
ManagePermissions(
"c:\inetpub\wwwroot",
"MACHINENAME\IIS_IUSRS",
FileSystemRights.Modify,
AccessControlType.Allow,
true);
When execute that call to ManagePermissions an exception is thrown with the following type and message:
System.Security.Principal.IdentityNotMappedException:
Some or all identity references could not be translated.
I've checked multiple times to ensure that MACHINENAME\IIS_IUSRS is an exact match with the user in the local user manager on the machine this code is executing on. This machine does not participate in a windows domain.
Let me know if you need any further clarification.
IIS_IUSRS is a built in group, so it should not be referenced with [machinename]\IIS_IUSRS
but with BUILTIN\IIS_IUSRS
. Like so:
ManagePermissions(
"c:\inetpub\wwwroot",
"BUILTIN\IIS_IUSRS",
FileSystemRights.Modify,
AccessControlType.Allow,
true);
Switching to that way of referencing the user fixed my code. I get the account in a slightly different way than referenced in your example:
IdentityReference user = new NTAccount(UserDomain + @"\" + UserName);
And then use it via a different constructor so that may affect the translation as well but I doubt it:
var rule = new FileSystemAccessRule(user, ..., ..., ..., ...);
Update: recently I've seen error with adding full control to user IIS_IUSRS on non-english windows (Windows server 2008 R2 x64 IIS7).
Despite that IIS_IUSRS is not translated, 'BUILTIN' in front of it can cause an error
So, be aware of using "BUILTIN\IIS_IUSRS", use just 'IIS_IUSRS' instead - its working on both english and non-english windows
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With